Commit 9f12e53d authored by Dmytro Zaporozhets (DZ)'s avatar Dmytro Zaporozhets (DZ)

Merge branch 'cat-allow-sso-through-maintenance-mode' into 'master'

Allow SSO callbacks through maintenance mode

See merge request gitlab-org/gitlab!73550
parents 573f25ae b59f528b
......@@ -33,6 +33,11 @@ module EE
'oauth/tokens' => %w{create}
}.freeze
ALLOWLISTED_SSO_SIGN_IN_CONTROLLERS = [
'omniauth_callbacks',
'ldap/omniauth_callbacks'
].freeze
private
override :allowlisted_routes
......@@ -115,10 +120,14 @@ module EE
end
def sign_in_route?
return unless request.post? && request.path.start_with?('/users/sign_in', '/oauth/token',
'/users/auth/geo/sign_in')
return unless request.post?
is_regular_sign_in_route = request.path.start_with?('/users/sign_in', '/oauth/token', '/users/auth/geo/sign_in') &&
ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
is_sso_callback_route = request.path.start_with?('/users/auth/') &&
ALLOWLISTED_SSO_SIGN_IN_CONTROLLERS.include?(route_hash[:controller])
is_regular_sign_in_route || is_sso_callback_route
end
def lfs_locks_route?
......
......@@ -30,10 +30,29 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
end
shared_examples_for 'sign in/out and OAuth are allowed' do
include LdapHelpers
include LoginHelpers
before do
stub_ldap_setting({ enabled: true })
Rails.application.reload_routes!
# SAML draws a custom route, LDAP doesn't, so the reload needs to happen before this
# to prevent overwriting the SAML route.
stub_omniauth_saml_config(enabled: true, auto_link_saml_user: true, allow_single_sign_on: ['saml'])
end
after(:all) do
Rails.application.reload_routes!
end
where(:description, :path) do
'sign in route' | '/users/sign_in'
'sign out route' | '/users/sign_out'
'oauth token route' | '/oauth/token'
'SSO callback route' | '/users/auth/gitlab/callback'
'LDAP callback route' | '/users/auth/ldapmain/callback'
'SAML regular route' | '/users/auth/saml'
end
with_them do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment